Security at Aude.ai

Aude.ai helps engineering organisations turn day-to-day delivery work into performance and coaching insights. Because we process data about your teams and their workflows, security and privacy are core to how we design, build and operate the service.

This page summarizes how we protect Customer Data. Capitalized terms (like “Customer Data” and “Customer Personal Data”) have the same meaning as in our Terms of Service and Data Processing Agreement (DPA).

1. Data we process

Aude.ai is designed to work primarily with engineering metadata, not source code or client financial records.

Typical data we process includes:

  • Identity & organization data

    • Names, work email addresses and usernames/handles

    • Team or squad membership, roles, and reporting lines (if present)

  • Work metadata

    • IDs and titles of work items, pull requests, branches, pipelines and documents

    • Statuses, timestamps (creation, update, close) and relationships between items

  • Collaboration context

    • Channel / space names and participants

    • Limited message and comment text from team-visible channels and workspaces (e.g. ticket comments, public Teams channels)

  • Usage data

    • Sign-in events, feature usage, configuration options and other telemetry about how the Service is used

We do not require or intentionally process:

  • Source code contents

  • End-customer financial account data

  • HR files, salary data or other sensitive employee records

  • Private messages, DMs or personal email

Customers should avoid sending special categories of personal data (e.g. health data, religion, trade union membership) into integrated tools used with Aude.ai.

2. Architecture & infrastructure security

Aude.ai is hosted on reputable cloud infrastructure providers (such as Amazon Web Services and Microsoft Azure). We rely on their physical and environmental controls for:

  • Data centre access control and monitoring

  • Redundant power, networking and hardware

  • Environmental protections (fire, flooding, temperature)

Aude.ai personnel do not have physical access to the servers running the Service. Access is limited to secure remote administration from managed, encrypted devices.

We separate production and non-production environments and apply secure-by-default configurations (network rules, encryption, logging) provided by our cloud platforms.

3. Application security & access controls

Access to Aude.ai is controlled via authenticated user accounts.

  • Authentication

    • Passwords (where used) are stored using industry-standard hashing.

    • Administrative access to production systems requires strong authentication (e.g. SSO and/or multi-factor authentication).

  • Authorization

    • Role-based access control (RBAC) limits what users can see and do based on their role.

    • Customer admins can invite/remove users and manage access within their own organisation.

  • Least privilege

    • Only a small number of authorized engineers have access to production systems.

    • Access rights are granted on a least-privilege basis and reviewed periodically.

    • Offboarding procedures remove access when staff change roles or leave.

4. Encryption

We encrypt Customer Personal Data in transit and at rest.

  • In transit

    • All connections to the Aude.ai application use HTTPS (TLS 1.2 or higher).

    • Integrations with third-party systems (e.g. Azure DevOps, Confluence, Microsoft Teams) use secure, authenticated APIs over TLS. We do not allow plaintext transmission of Customer Personal Data over the network.

  • At rest

    • Data is stored on managed cloud databases and storage that use industry-standard encryption at rest (e.g. AES-256 via cloud-provider managed keys).

    • Access to encryption keys and secrets is restricted to a small set of authorized operations staff.

5. Logging, monitoring & incident response

We log key application and infrastructure events, including:

  • Authentication and authorisation events

  • API calls and configuration changes

  • System errors and unusual behaviour

  • Administrative actions in production

Logs may contain limited Customer Personal Data (such as usernames or IDs) and are protected with the same controls as production data.

We use logging and observability tooling to:

  • Monitor service health and performance

  • Detect and investigate errors and anomalies

  • Support security investigations and incident response

If we become aware of a security incident impacting Customer Data, we will:

  1. Investigate and contain the issue.

  2. Assess impact and risk.

  3. Notify affected customers without undue delay, consistent with our contractual and legal obligations.

  4. Implement corrective actions and improvements.

6. Backups, continuity & resilience

To support availability and recovery, we:

  • Use managed cloud databases with built-in redundancy and durability guarantees.

  • Perform automated backups of core data stores and retain them for a limited period.

  • Periodically verify that backups are restorable.

In the event of data corruption or loss, we can restore data from recent backups and recover service operation within a commercially reasonable timeframe.

7. Data minimization, retention & deletion

Aude.ai follows data-minimisation and limited-retention principles:

  • We ingest and store only the data needed to provide the Service (primarily engineering metadata and limited collaboration context).

  • We do not require source code, client financial data or HR records for the core product.

  • Raw integration data is retained for a limited period to generate and validate insights, then aged out or anonymised where possible.

When a customer terminates the Service or requests deletion:

  • We delete or anonymise Customer Personal Data from active systems within a commercially reasonable period, in line with our Data Processing Agreement and internal retention policy.

  • Residual copies may remain in time-limited backups, which expire on their normal schedule.

8. Sub-processors

To provide the Service, Aude.ai uses carefully selected sub-processors for infrastructure, logging, email, billing and AI processing.

For all sub-processors:

  • We put in place written agreements that include appropriate data-protection and security obligations.

  • We remain responsible for their performance with respect to Customer Personal Data.

  • We notify customers of material changes to our sub-processor list as described in our Data Processing Agreement.

A current list of sub-processors, including their roles and locations, is included in our DPA and is available to customers on request. Please contact us at security@aude.ai if you need the latest copy.

9. Data protection & privacy

When we process Customer Personal Data on your behalf, Aude.ai acts as a processor and you act as the controller (or processor for your own controller). This processing is governed by our Data Processing Agreement (DPA), which incorporates appropriate transfer mechanisms for UK/EU data where applicable.

For personal data that Aude.ai processes as controller (for example, website visitors and account contacts), our Privacy Policy applies.

10. Customer responsibilities

Security is a shared responsibility. Customers are responsible for:

  • Managing user accounts and access within their organisation (invites, removals, role assignments).

  • Configuring integrations (e.g. which projects, spaces or channels are connected) to avoid ingesting data that should not be processed.

  • Ensuring their own systems, identity providers and devices are appropriately secured.

  • Complying with applicable laws when using the Service, including obtaining any necessary consents and handling data subject requests.

11. Questions & contact

If you have questions about Aude.ai’s security practices, need a copy of our DPA or sub-processor list, or would like to discuss a security questionnaire, please contact:

Email: security@aude.ai

We’re happy to work directly with your security, legal or compliance teams as part of your evaluation or onboarding process.